Central management dekstop icons & uniform desktop

Introduction

A customer in a healthcare practice have asked to create a uniform desktop for all users.

They have about 30 employees and they want to have a desktop that is exactly the same for all users. Which means that the shortcuts published by a GPO are at exact the same location on the desktop of every computer, so no matter which user is logged on the shortcut to for example their healthcare application have to be in the centre of the screen and a shortcut to a document on the server in the right top corner etc.

If the user somehow rearrange the shortcuts on the desktop they have to be set to default again after the user is logging on again. OS: Windows 7 for now and next year migration to 10.

The user is allowed to have some personal shortcuts on their desktop.

I personally think this is nightmare in the making but maybe there are options. I've already googled but didn't found a solution beside hacking the registry somehow.

So inspired to this above and asked to write a How To about this I've created one right here. How is this problem solved and how can you solve this as well?

What do you need for this How To?

- 1 Windows Server with Active Directory installed and configured
- 1 Windows Client for example Windows 7 of Windows 10
- Network connection so the client can communicate with the server.
- Excel or some other spreadsheet program to create a Shortcut Document

The client has to be added to the domain and being able to login to the domain before starting the use of this How-To.

You need some knowledge of managing and maintaining a Windows Server environment.

Steps
(16 total)

1

Make a shortcut document

From the management team I've received a list of Document Paths and URL's, both with names for the shortcut. So the first step to make it easier to create and manage the shortcuts is a excel file with all the parameters that are needed to create these shortcuts later on..
The file has the following headers:

Type - What type it is going to be (Program, Share, Document, URL)

Name - What is going to be the name (Display name)

Target Type - File System Object or URL

Location - All Users Desktop or Desktop or one of the other options.

Target Path - Self explanatory

Arguments - If needed

Start in - Is the Target Path minus the document or program name

Shortcut key - If needed

Run - Leave it empty only fill in when needed

Comment - Only used for management purposed, fill in when needed

Icon File Path - %SystemRoot%\system32\SHELL32.dll or a .ICO file on a hidden
share

Icon Index - if you are using the SHELL DLL then it can be 0 to 164 of you use a ICO file then most if the time it's 0

I've added an excel file with a few examples for programs.

I use green and red color coding in my file to see witch icons are published and
witch are not published anymore. As long as they are on the server leave them in
the file.

TIP! Make sure all the paths and files are working and the rights are all set for all
users to access the files.

Also make sure if there are any URL's that they are correctly spelled and working. Before applying them to all users.

Create a Security Group

Before you start with the GPO make sure you have a Global Security Group available to protect your GPO from accidentally deploy over the network you are managing. Give the Group a logical name like DG_SEC_AllUsersShortcuts

DG = Domain Global
SEC = Security
AllUsersShortcuts = The name of the GPO as well.

Add the Test User and Test Computer you are going to use for this How-to to the security group as member.

3

Create a GPO

Next step is to create a GPO for the Shortcuts.
My GPO is called CU-AllUsersShortcuts
Which means

C for Computer

U for User

and then a dash followed by the explanation of the GPO in a few words. Keep it simple so every administrator will understand what the purpose of the GPO is for.

4

Protect the GPO

Make sure the GPO is not set to authenticated users like it is by default, remove that and set the Security Group you have created in the second step.

5

Fill the GPO with Shortcuts

Cause you have prepared the Shortcut document in the first step this step is just copy and paste of the data from the sheet.

6

Download the program ReIcon

Download the latest version of the program ReIcon from the official website.

NOTE! This is a direct link to version 1.7. Which is the latest version at writing this How-To.
If there is a newer version then use the latest version available.

Once you have downloaded the ZIP file extract the contents to a directory on your computer for example C:\Apps\DesktopLayout\*.* on your test client you need it later on.

7

Link the GPO

Now you have completed your GPO and ReIcon setup on the test computer it's time to link the GPO if you haven't done so already.

Link the GPO to the right OU that is available for testing.

8

Log in on the test client

Now switch to the test client you have prepared for this.
Login with the account you have available for testing (the account you have added to the security group)

After login has been completed run a GPUPDATE /FORCE from the command line. If you have made no mistakes in the GPO the shortcuts you have created in the GPO should appear now on your desktop.

NOT? Then check the System Error Log of the client for more information. The message gives you a problem where to look.

TIP, if you used computer shortcuts and the do not work then move them to the user shortcuts and give it another try. That solved a lot of issues for me. Thanx to some research on Google from the system error log.

9

Set average screen resolutuion

Set your test client to the companies average screen resolution so you can place the icons on the position you would like to have on all clients. It's just handy to do this saves you a lot of trouble later on when you are deploying the GPO to all users.

10

Move Shortcuts

Move around the shortcuts you have created in the GPO and that are published now to the place where you want them to be on all desktops.

11

Start ReIcon

When you are finished with the previous step start the x86 or x64 version of ReIcon from C:\Apps\DesktopLayout\
Save the icon layout as is and give it a logical name.

NOTE! Do NOT edit this file unless you know what you are doing. I removed a few details from the example as showed above and placed <> to explain what there is shown in the file when created.

Once you have saved the layout you can mess it up and use the program to restore the layout to the one you have just saved. This is labour intensive for a user to do if they have messed up their layout.

12

Deploy the program

Now comes the tricky part.
Create a New GPO or use the existing one where you have created the shortcuts in to setup a script to run the program with the INI on start-up at every computer you are logging in to with the account you made member of the groups.

Just leave the security group as is for this test step.

You have to create a WMI filter in your GPO editor to make sure the shortcuts are only deployed to Windows Clients and not to servers by mistake. If you are using Virtual Desktops on a server OS then the WMI query should be different.

namespace: root\CIMv2
select * from Win32_OperatingSystem WHERE ProductType = "1"
Ignore the error you get when you are trying to save the WMI query.

If you have both X86 and X64 machines you have to create another shortcut with the same parameters only use ReIcon.exe instead of ReIcon_X64.exe

Note: You can also set this program shortcut to run locally on the user’s computer if you want to. I want control so I’m running it from the server with the INI file in the arguments.

14

Mess upp

Now mess up the desktop and remove the C:\Apps folder including all contents from your test computer if you have verified that all files are on the server or somewhere safe just in case it does not work.

15

GPUPDATE & Reboot

Now run a GPUPDATE /FORCE from the command line and / or reboot your computer then log in to the test account and verify that everything is working as it should be. The desktop should be as it supposed to be. Default and not messed up like you left it behind in the previous step.

16

Free the GPO

If everything is okay then you can remove the security group from the GPO and add Authenticated users back at it again. Link it to the right OU and sit back and enjoy the ride. :):)

Conclusion

Make sure you always keep the master client available when you are deploying new shortcuts so you can create a new iconlayout.ini to use again for deployment.
Remember that the GPO is deploying shortcuts straight away after you have created them in the GPO. The icon layout program is only run at login. If you want to make it run more often you have to create a scheduled task to do so.

If you have any questions please let me know.

I would like to give a special thank you to the community here that helped me with my question how to solve the problem I had before. See references for the link to that question.

Dude, I would have never known where to even start. That is amazing that you were able to figure it out. Thanks so much for this detailed write-up. I hope to never be in that position to have to do that.

Something to be aware of, with Windows 10 you will struggle to maintain and roam certain customisations, in particular the Start menu layout. Microsoft in their wisdom have made a design change, where Start configuration and layout is now excluded from the profile. There are workarounds but they're unsupported of course.

If your customisation applies only to the desktop, you should be Ok though.

@ HaroldFinch this How To only applies to the desktop of Windows. We have Windows 10 clients running and it's a struggle to get some things managed through GPO's. I already figured that out. Not going to touch the start menu for now.

I've done this several times. Not like this tutorial but equally effective. Mandatory profiles are awesome. This is used mostly in departments where users are moved around constantly. Same desktop everywhere. As long as they have their mapped drives, all is good.

I do something like this for students in school. We have desktop and start menu redirects, right click on desktop is disabled so the kids can't move icons or change size etc, wallpaper and the like, and we use a mandatory profile so if the little "darlings" do manage to change anything, all the changes are lost at logon as the profile is read only.

I think the easiest way is to create a GPO for folder redirection policy and instead of redirecting the 'desktop' to each individual user profile on the network, to have all desktops redirected to the same place. This means if IT wants to add an icon you can just drag and drop it to a place on your network. There are also GPO settings to prevent users from changing desktop settings. I personally do not limit my users' desktop but I did add custom login screen and changed the default icon to the company logo. I believe it makes people feel a tad bit better about working at the company.

If this is a RDS environment you can just drop all the icons you want them to have into the "Default Desktop" folder. They can't delete or modify shortcuts you place there unless you give them local admin rights (which would be a huge mistake on a server).

If everyone works on desktops you could technically do the same thing but GPO would be easier.